Hi all,
I've got data ingesting from a couple of servers, and setup went okay with the real-time returning results but something seems to be wrong with my data model acceleration since no other dashboard has content.
The "Data Model Acceleration check" returns returns red exclamations despite saying it is 100% and the Data Model Audit is equally affirming.
Nothing is jumping out at me from the Search job inspector, so what could be going wrong here and how to I get the remaining features working?
Hi
Can you check if there is an eval function in the Web datamodel called “dmReload”? In some cases this field has been known to prevent the DM from accelerating and the tstats from running. A workaround is to simply delete this field and eval function altogether from the Web datamodel in the app.
Try this and then manually triggering a DM rebuild.
j
Hi
Can you check if there is an eval function in the Web datamodel called “dmReload”? In some cases this field has been known to prevent the DM from accelerating and the tstats from running. A workaround is to simply delete this field and eval function altogether from the Web datamodel in the app.
Try this and then manually triggering a DM rebuild.
j
That did it! Thanks.
I'm not clear what that function is supposed to do...
Hi chaoservices
Double check the troubleshooting section on the documentation page. I suspect the DM is accelerate but contains 0 Events, hence the red check.
In order for the data model to get data, you need to make sure the events are tagged with "web", this will happen automatically if you are using the default sourcetypes (iis or access_combined). Another issue could be that certain fields are not extracted correctly like the "file" field which is important to determine the type of request in the log file.
Check these things and let me know how you get along.
j
Good points. I noticed that the Splunk CIM also had a DM Web
and when I disabled that App the Data Model Acceleration check table became clearer (Acceleration, 1, Status, 100%, Events, 0). So I ran the lookups again and rebuilt the DM Web
but no dice.
tag=web
is returning results with clean and discrete fields (file
looks like a list of files 🙂 and the DM seems to contain data (it has size and buckets) but I still get the error: Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.
Perhaps something is wrong with the Knowledge Objects getting distributed to the indexers?